Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

This is quite similar to my last post (which I solved by allowing only web mail access) but the situation is complex here.

A client is currently hosting in house mail server and wants to move to a ISP hosted mail solutions. Currently they are using a DSL connection with static IP address. They have a Ubuntu box running iptables / sqiud to control web access and client pcs can access Internet only through the proxy.

The issue here is ISP going to give server names instead of the ip addresses for the smtp / pop3 / imap (ex: smtp.isp.com instead of xxx.xxx.xxx.xxx) and according to them the IPs are load balanced and may be changed without notice if they face a Denial of Service attack / high spam load.

Since I cannot proxy those email protocols the only solution is I have is to configure default gateway of the client pcs to the Ubuntu box and open iptables to above service ports.

As far as I know iptables cannot control access based on domain names so my question is how can I tell iptables to allow connections only to the server names given by ISP.

Thanks in advance (please note allowing only webmail is not going to work with this client).

"As far as I know iptables cannot control access based on domain names"

how did you get to this conclusion ?

If you execute an iptables rule using a domain name, the IP is immediately substituted for it (a lookup is performed). So if the IP for the domain ever changes, your intended configuration won't apply any more. Depending on what you were doing, you could end up denying an authorized connection, or allowing an unauthorized one. So basically, you don't ever want to use domain-based iptables rules unless you're 100% certain the IP which will be resolved won't change (or you have some means of getting the iptables configuration updated dynamically, or you don't care about the potential problems, or it's just a band-aid while you figure out what to do, etc.).

Thanks for the replies. Regarding win32sux's answer if a lookup is performed when a domain name is used won't it automatically allow to access the new ip if the ip address for the domain name changes (iptables has access to DNS)? If I get it wrong please explain. thanks.

Thanks for the replies. Regarding win32sux's answer if a lookup is performed when a domain name is used won't it automatically allow to access the new ip if the ip address for the domain name changes (iptables has access to DNS)? If I get it wrong please explain. thanks.

The lookup is only performed when the rule is executed - not when it's used. Therefore, whatever IP you get when it's executed will be the IP you remain with until the rule is deleted.

Thanks for the replies. Regarding win32sux's answer if a lookup is performed when a domain name is used won't it automatically allow to access the new ip if the ip address for the domain name changes (iptables has access to DNS)? If I get it wrong please explain. thanks.

One solution (not necessarily the best) is to write a simple script and cron it to regularly test the value of the ip address vs the iptables rule, if they're not the same then flush and reload iptables (which will give it the new ip at run time) (or delete the rule and readd it depending how you're iptables is configured).